undocumented bugs - nfsd

[tmogg () ZIGZAG PL (Mariusz Marcinkiewicz)]

Hi,
this is voice of lam3rZ (.pl)

-- Introduction -

After reading lcamtuf's posts I decided write this one. Few months ago one
of my friends - digit - found bug in linux nfsd daemon. I made example
sploit about IV 1999. Now in distributions is new nfsd and nowhere was
information about security weaknes of old version!

-- Affected -

One time more affected distribution is RedHat 5.2 and Debian 2.1,
Slackware isn't vulnerable even there is *same* version of nfsd.
It's hard to say bug is local or remote, read description please.

-- Description -

Linux rpc.nfsd has real_path bug. When user has been trying access
directory with long path nfsd got SIGSEGV. There was buffer overflow which
we can exploit and get root privileges on server machine. I don't remember
all of details but I'll try write few words ;)
length of path is checked if user is trying make long-path-directory by
nfs but isn't checked when he is trying remove it. One way to exploit
this bug is creating long-path-dir localy and later rm it by nfs. In some
cases bug can be exploited remotely: if attacker has write access to
exported directories by ftpd.

that's all folks.

cya

__
Mariusz Marcinkiewicz | phone: +48 601 080 286 | mail: many () rast lodz pdi net
System Administrator && Tech Support  <tmogg () zigzag pl>  http://www.zigzag.pl
Security Advisor tmogg () hert org http://www.hert.org [*] http://lam3rz.hack.pl